Re: Yahoo breaks every mailing list in the world including the IETF's

Phillip Hallam-Baker <> Mon, 19 May 2014 21:39 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 7DE401A03CA for <>; Mon, 19 May 2014 14:39:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.621
X-Spam-Status: No, score=0.621 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id fjz0sT5erdGs for <>; Mon, 19 May 2014 14:39:49 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:400c:c00::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 610D11A03B6 for <>; Mon, 19 May 2014 14:39:49 -0700 (PDT)
Received: by with SMTP id x12so8658250wgg.9 for <>; Mon, 19 May 2014 14:39:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=1jegwJxcUmydtODgbLS00uF05oXxslUvKwB8PK6hZ6c=; b=nhUjLQbVUcNeiR+/nNpqAWaXXa+JAweS5W6tRd4yKXnyrQ90eSlkHys6MmoZThD8Dn Ibj9Y5DKxWUSunoNb6mlfdlYU6bMUStns+9pmennNdQcZRP4M1NDiH9xZ9PR2sLXr+WM fPy3dhRBH2I+dG3exVyH2an8zXrCBbHW0J7ZSbA6umfvqJ+/cTUIZJMLUQoek+PPwQrm LPfJNvdJNa353V97xMPpCzDpYvOkkEDTQpEHZvxcLXG0DyTZDL1HMlKA1jDLArBOL11y FAffI942faTTctx8bC1BZGXqtE5m3g79NhKf1Dbd3w4JkF58DjkGsyHdE191E0cJTC5Q WLtQ==
MIME-Version: 1.0
X-Received: by with SMTP id gk8mr896318wib.32.1400535587690; Mon, 19 May 2014 14:39:47 -0700 (PDT)
Received: by with HTTP; Mon, 19 May 2014 14:39:47 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <> <>
Date: Mon, 19 May 2014 17:39:47 -0400
X-Google-Sender-Auth: PXmJi4kKtJWBmg_zIwFvYcLtJMY
Message-ID: <>
Subject: Re: Yahoo breaks every mailing list in the world including the IETF's
From: Phillip Hallam-Baker <>
To: "Fred Baker (fred)" <>
Content-Type: text/plain; charset="UTF-8"
Cc: Eric Dynamic <>, IETF <>
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 19 May 2014 21:39:50 -0000

On Mon, May 19, 2014 at 3:28 PM, Fred Baker (fred) <> wrote:
> Several people have replied to the tone of your email. Let me reply with a
> bit of somewhat-technical commentary.
> In their defense, Microsoft has taken a pretty strong approach to software
> quality over the past decade plus. Frankly, poor software quality has hurt
> them. It is in their interest to fix it for several reasons, not just this
> one. That is perhaps one of the best arguments for their current campaign to
> move their users from Windows XP-and-older to their latest operating systems
> - it reduces their support costs and improves the quality of their brand.

If we were going to start pointing fingers. Buffer overruns are an
invention of Dennis Richie and UNIX.

Microsoft Basic, the last code Bill Gates wrote himself had memory
management and garbage collection on strings.

Windows 95 was never designed to be an Internet operating system.
Microsoft changed course on that in mid 1995 just after the launch of
Windows 95. Windows XP was designed to be the last phase of the bridge
to a fully accounts based security model.

I remember that when Vista came out there was a huge amount of
complaining from system admins whose lazy shiftless persons would
actually have to do some work as a result of the new security model.
So instead of that they yammered on about Vista not being any good and
did their best to drag their feet. All the while knowing that the
Windows XP security model was compromised by the need for backwards
compatibility to Win 95.

Even today most of the NSA runs on Windows XP or earlier. Which is how
Snowden was able to extract all that data. And in the PKIX working
group we had DoD contractors trying to block any changes to the specs
that would force updates on the Netscape CA used by the DoD PKI that
has cost over a billion dollars to deploy.

There are certainly security problems on the net. But claiming that
they are exclusively the fault of one party hides the fact that there
is far more blame to go round.